Online Security: User-Driven Tokens On The Upswing

Banks have spent the last two years steering their users to behind-the-scenes, no-fuss security tools for enhanced online authentication. This year, millions of customers may be asking banks to let them drive for awhile.

Two digital security firms, GuardID Systems and Gemalto, are among vendors who plan to roll out big with new consumer-driven authentication tokens that will marry smart-card technology with real-time risk monitoring on user-owned USB tokens. GuardID, which has been out since late fall with the retail version of its ID Vault token-the size of a flash jump drive-and software package, is now ramping up with a new banking partnership program that includes add-on services like credit monitoring from Equifax from participating banks. At press time, Gemalto was planning to introduce its Network Identity Management (NIM) card solution at the RSA Conference this month, to work with the VeriSign Identity Protection (VIP) network system introduced last year as a self-service authentication portal already supported by Yahoo!, PayPal and eBay. "Consumers believe they are at the point they need something better than what they're getting today," with username log-ins, says Francois Lasnier, vp of banking of Gemalto. "But they realize today there's no universal solution."

Be wary of latest cyber crims

It was the year cybercriminals targeted everything from MySpace to Wikipedia, and even a website maintained by a Boy Scout troop wasn't safe for casual browsing. Computer security experts said 2006 was also the year hacking stopped being just a hobby and became a lucrative profession for computer developers and software sellers.

Like true business people, hackers not only broadened their reach by attacking popular social networking sites, they also diversified their product line by launching attacks through popular software applications like PowerPoint and Adobe Reader and expanded their activities overseas. Software makers trying to stop online crooks claim they're bracing for a new level of nastiness in 2007, including websites booby-trapped with software that automatically loads itself on the machines of users.

"Hackers realise they have a limited time before their attacks are blocked, so they are opening up their arsenal and trying everything possible," says Yuval Ben-Itzhak, of internet security company Finjan Software.

Microsoft to push new antiphishing technology

Microsoft Corp. and industry partners are pushing ahead with plans to make the Web a little safer with a new technology to combat phishing.

At next month's RSA Conference in San Francisco, the software giant plans to announce that a number of Web sites have gone through a new certification process designed to make it harder for phishers to spoof them. The process gives third-party certification authorities like VeriSign Inc. and Entrust Inc. a more stringent set of guidelines to follow when they are authenticating Web sites.

The result of the process is something called an Extended Validation Secure Sockets Layer (EV SSL) certificate, which can be used by Web sites to help reassure Web surfers that they are handing over their private information to a legitimate site.

Microsoft is ahead of other browser-makers in supporting EV SSL certificates, which will work with Internet Explorer 7 by the end of this month. But for the technology to take off, it must also be widely adopted by Web sites.

Consumers Want Better Online Banking Security

Consumers are ready to start using stronger authentication technologies and want their banks and brokerage houses to monitor online transactions for suspicious activity.

As trust among consumers for online banking continues to erode, users in the United States, Europe, Australia, and India are demanding stronger security for their online accounts, a poll published Thursday reported.

According to survey results, majorities of nearly 1,700 consumers in eight countries said they were ready to start using stronger authentication technologies that went beyond the traditional user name/password, wanted their banks and brokerage houses to monitor online banking transactions for suspicious activity, and were familiar with the term "phishing."

The fourth-annual online poll conducted by RSA, the security division of storage maker EMC, traced the ongoing slide in consumer trust: 82% of account holders said that they are less likely to respond to e-mail from their bank because of phishing scams. The results in 2005 and 2004 were 79% and 70%, respectively.

Customers want stronger authentication for Web banking, says RSA

An overwhelming majority of consumers would willingly ditch password protection in favour of stronger authentication technology for online banking, according to a global poll published by RSA security.

The survey of nearly 1700 customers in eight countries also found that the majority of account-holders - 82% - want banks and brokerages to monitor online and telephone banking transactions for suspicious activity - similar to the way that credit card transactions are monitored.

Furthermore, a massive 91% are willing use a new authentication method, beyond the standard username-and-password procedure, if their banks decided to offer stronger security.

Majority of Brits using online banking

More than two thirds of Britons used internet banking to conduct the majority of their banking in 2006, according to a recent survey.

The study, conducted by Lloyds TSB, found that the figure compared with fewer than one in five during 2005.

More than half of those questioned said they used online banking more often this year than they did last year, while 70 per cent of the over 50s cited the money management method as being their preference.

The most popular reason given for banking online was the constant availability of the service, with the second most cited answer being the convenience of financial management regardless of the place.

MiFID: IT contractors ride high on the waves of change

Don't you just love change? What with the moving target of customer requirements, and that constant bleat of officialdom. Not for you? Well it should be, it drives up your rates, and no one has yet invented an IT system that didn't need fiddling with to keep it performing. Change is constant and good.

If you could imagine a world without IT change, you'd imagine far fewer opportunities for freelance contractors. As a breed, they probably wouldn't exist.

And so, just as the Sarbanes Oxley and Basel II parties are winding down, another invitation to hike up the rates and make a mint presents itself: MiFID.

MiFID – rhymes with Triffid for those with a herbaceous bent – is the Markets in Financial Instruments Directive developed as part of the European Commission's Financial Services Action Plan. After eighteen months delay it is now expected to come into force by 1st November 2007.

According to business law firm Norton Rose, "MiFID has been compared to an iceberg of Titanic-sinking proportions... There is an increasing realisation that MiFID will have a fundamental impact on many investment firms."

And analyst Gartner adds that the technology impact of MiFID will be far reaching, "affecting enterprise architecture approaches, design and use of shared services, performance measurement and management, and governance."

Phishing' scam now targeting Regions Bank

At first glance, the e-mail with a Regions Bank logo on top looks legitimate enough, asking the recipient to renew his or her online account and signed by the Regions Online Payments Department.

Look a little closer, though, and the "official notification" reveals misspelled words and bad grammar, a clear indication that the notification is anything but official. Instead, it is an example of an identity theft scam known as phishing, a Regions official said Monday.

Designed to trick people into disclosing private financial information such as user names and passwords, phishing is a new twist on an old telemarketing scam, said John Hall, a spokesman for the American Bankers Association in Washington, D.C. Phishing scams using banks' identities become more prevalent when a merger is under way, Hall said. Many Mobile-area banking customers are dealing with such changes now, given the recent merger of Regions Financial Corp. and AmSouth Bancorp.

MySpace files suit against phamous phishing king

Social networking site MySpace (part of Fox Interactive Media, Inc.) has filed a lawsuit against Scott “Spam King” Richter for violating the federal CAN-Spam Act (aka Controlling the Assault of Non-Solicited Pornography and Marketing Act) and California's anti-spam statute.

Allegedly, Richter used phished MySpace account information to send email sales campaigns without the page owner's knowledge. The filing demands monetary compensation (amount not specified) and a permanent injunction barring Richter and his various companies from MySpace.

If found guilty and there is not an out-of-court settlement, the CAN-Spam Act states that each violation is subject to fines of up to $11,000 and include imprisonment, while the California statute adds $1000 for “each unsolicited commercial e-mail advertisement transmitted” with a maximum of $1 million per incident.

McAfee Adds Phishing Protection to Free SiteAdvisor Product

McAfee, Inc. (NYSE:MFE) today announced that McAfee(R) SiteAdvisor(TM), the world's first safe search and browse technology, now provides anti-phishing protection. Beginning immediately, consumers who download the free SiteAdvisor software will get advanced, real-time "phishing" detection that combines white lists, black lists and heuristics to provide early warnings against scam sites that can compromise consumers' identities. Current SiteAdvisor users will get this new feature automatically.

Phishing is an increasingly prevalent online scam in which a criminal uses spoofed e-mails and counterfeit Web sites to trick consumers into disclosing their financial and other personal information. This can lead to immediate financial loss and longer-term identity theft. According to the Anti-Phishing Working Group, unique phishing Web sites increased by 757% from October 2005 to October 2006, the most recent month for which data is available.

Swedish bank suffers huge phishing fraud

'The Local’ has reported that Sweden's largest bank, Nordea, has suffered a huge Internet-based fraud. Over 8 million kronor (nearly £600,000) has disappeared in three months as a result of tailor-made Trojans launched by Russian criminals.

This was sent in the name of the bank via a phishing email to the bank’s clients. The sender encouraged clients to download a spam fighting application. Users who downloaded the file which was to the e-mail were infected by the trojan haxdoor.ki. When the first attacks begun it was clear that the haxdoor version had been modified to target the bank.

The Trojan activated itself when users tried to log in to their online banking account. The Trojan then saved the information and displayed an error message asking the client to enter further access information. The criminals then had two access codes in their possession, which is enough to transfer money. The Police has been able to establish the fact that log in information has been sent to servers in the USA and then to Russia. After that unknown criminals have logged in transferring large amounts from the bank.

Microsoft is advising users running Excel 2000 to install the new update, which is being distributed through the company's regular software update channels. An attacker who successfully exploited the most severe of the vulnerabilities that these new patches are designed to fix could take complete control of an affected system, according to Microsoft.

As Windows users await the release of Office 2007, Microsoft Relevant Products/Services is cleaning up some old vulnerability issues with Excel. On Thursday, Microsoft issued a new set of patches to fix several remaining flaws in the popular spreadsheet application.

The software Relevant Products/Services giant had initially released a security update on January 9 to patch five critical bugs in Excel. That version of the update did indeed protect against the security issues, according to Christopher Budd of Microsoft's Security Response Center.

But after the release, Microsoft discovered that "the update did not correctly process the phonetic information that is embedded in files that are created by using Excel in the Korean, Chinese, or Japanese executable mode," Budd wrote in a blog posting.

The New Face of Spam - It keeps coming on, stronger than ever

It’s been almost four years since the passage of the Can-Spam Act, yet spam remains as big a problem as ever. Neither congressional mandate nor technological advances seems to have had much effect. Heuristics, traffic analysis, content analysis, blacklisting and other recent advances in filtering have siphoned off only the smallest portion of unwanted e-mail.

E-mail security firm MessageLabs Inc. of New York reported large spikes in late 2006, surges that brought the level of spam to 74 percent of all e-mail traffic in November. But that figure counted only the spam that penetrated perimeter defenses. The real figure was “a staggering 89.4 percent,” according to the company.

Those figures jibe with what is being seen by the Justice Department’s Computer Emergency Readiness Team, which shares responsibility for keeping unwanted messages out of inboxes. DOJCERT program manager Kevin Cox said as much as 80 percent of the traffic hitting the gateways is spam, and the department’s filters stop 8 million to 10 million unwanted messages each month.

“If we didn’t filter this, we wouldn’t be able to get anything else done,” Cox said.

Ben Laurie and the "Kittens" phishing attack

OpenID announced the release of a new draft of OpenID Authentication 2.0 today. I'm reluctantly forced to come to the conclusion that the OpenID people don't care about phishing, since they've defined a standard that has to be the worst I've ever seen from a phishing point of view.

OK, so what's the problem? If I'm a phisher my goal is to be able to log in to some website, the Real Website, as you, the Innocent Victim. In order to do this, I persuade you to go to a website I control that looks like the Real Website. When you log in, thinking it is the Real Website, I get your username and password, and I can then proceed to empty your Paypal account, write myself cheques from your bank account, or whatever fiendish plan I have today.

So, why does OpenID make this worse? Because in the standard case, I (the phisher) have to make my website look like the Real Website and persuade you to go to it somehow - i.e. con you into thinking I am the real Paypal, and your account really has been frozen (or is that phrozen?) and you really do need to log in to unphreeze it.

HP PI pleads guilty to identity theft

A private investigator, hired by HP, pleaded guilty to charges of identity theft and conspiracy in the US on Friday.

Bryan Wagner, 29, a data broker hired by the IT giant last year to probe the source of a news leak, pleaded guilty to the charges during his first appearance in a Californian court last week, according to a statement by the US Attorney.

In court he admitted using "fraud and deceit" to obtain the private telephone records of company directors and journalists. The case will be the first conviction resulting from the HP boardroom leak scandal, with the Colorado resident facing up to seven years in prison. He will be sentenced in June.

"In pleading guilty to two felony counts, Wagner admitted that he was paid as part of a conspiracy that made fraudulent use of Social Security numbers and other confidential information to obtain the personal phone records of reporters and HP officials, as well as the personal records of these individuals' family members," said a US Department of Justice spokesperson in a statement.

Users could be affected if they visit a website exploiting the integer overflow vulnerability and if they have not patched their systems with the latest fix, released Jan. 8, said Ken Dunham, director of VeriSign iDefense Rapid Response Team.

But the exploit is not widespread and appears unreliable following a round of tests, Dunham said.

"It doesn't work all the time, even if you have an unpatched machine," he told SCMagazine.com.

New E-Commerce Identity Tag Makes Online Debut

A long-promised technology for helping consumers verify the legitimacy of commercial Web sites made its debut on the Internet Friday: Visit online security company Entrust 's login page with Microsoft's Internet Explorer 7 Web browser and you'll notice that the address bar has turned from white to green. Though when Compliance and Privacy looked first the greened page was reserved for the page when the seal is clicked. All functiions now, though

Entrust's site appears to be the first to feature what are being called " extended validation certificates ," a development that is equal parts technology, process and collaboration. It comes in response to an epidemic of phishing attacks, or online scams in which bad guys erect Web sites that impersonate trusted e-commerce and banking sites in order to trick users into revealing personal and financial data.

FBI warns of twist in extortion phishing scam

FBI officials are warning users of a new phishing scam that plays off a recent round of bogus extortion threats.

The initial e-mails phishing for personal information were sent around last month, purportedly from a would-be hit man demanding users pay an extortion fee of thousands of dollars, or face death, according to an FBI advisory .

The e-mail recipients were informed the so-called hit man had been hired by their friend to knock them off, but the hit man would forgo the job as long as a payment of several thousand dollars was made, according to the FBI advisory. Users were asked to quickly respond to the bogus e-mail and provide their telephone number.

Cost of Identity Theft to UK Economy

The Home Office Identity Fraud Steering Committee completed a one-off exercise to update the Cabinet Office estimate for the purpose of establishing trends in the cost of identity fraud over the past three years. The latest estimate is that identity fraud costs the UK economy £1.7 billion. As with the previous study, it represents a best estimate of the scale of the problem.

VeriSign offer bounty on Vista and IE7 bugs

VeriSign's iDefense unit is offering an $8,000 bounty to researchers who discover previously undocumented vulnerabilities in either Windows Vista or IE7.

The flaws need to be serious enough to allow the remote execution of malware on up-to-date installations of the targeted platforms. Bugs that only crash systems, require social engineering tricks, have been previously disclosed or rely on interactions between Microsoft's software and third-party products won't qualify for payment.

But for researchers who submit their zero-day vulnerabilities alongside working exploit code additional payments of up to $4,000 are on offer via iDefense's controversial Vulnerability Contributor Program. Submissions need to be made before the end of March to qualify. Only the first six correct entries will qualify for the loot.

Pump-and-dump stock phishing spam up 400% in 2006

Pump and dump penny stock e-mail phishing scams rose by a massive 400% in 2006 according to data from US digital security firm SonicWall.

Last year both US and Canadian regulators warned online investors of the so-called pump-and-dump stock schemes, where criminals use funds from looted brokerage accounts to drive up the prices of little-traded stocks. They then sell shares they had bought earlier at a profit.

In August, the Investment Dealers Association of Canada warned brokerages to be on the alert for suspect account activity after reports of the scam from a number of member firms, while in December the Securities and Exchange Commission (SEC) obtained an emergency asset freeze against Estonia-based Grand Logistic which is accused of conducting a pump and dump scheme.

Six people arrested for hacking over 20,000 computers

A 19-year-old man who had an international arrest warrant out for him l ed the group, which created bogus web pages that people logged on to add money to pre-paid cell phone accounts.

Spanish Police have arrested six people suspected of hacking more than 20,000 computers in Spain to steal credit card numbers and other personal bank data in Navarre.

The arrested were identified as five Moroccan nationals and one Spanish woman from the Spain's African enclave of Ceuta.

The suspects created bogus web pages that people logged on to add money to pre-paid cell phone accounts, offering a large discount over the going rate for the service. Through those webs they collected the bank data of these unsuspecting consumers, police said in a statement.

Anti-malware system goes in goal at Derby after Trojans land in net

Derby County Football Club has replaced its anti-virus systems with advanced anti-malware technology, following an attempted hacking attack on its networks.

The football club stepped up its security after discovering that its anti-virus system had failed to detect Trojans that could allow hackers to access its networks.

It replaced the system with technology from Prevx which disrupts malware by blocking any unknown program running on the network.

The club was forced to shut down its network of 100 PCs in September last year after discovering copies of the Rbot worm, which installs a backdoor for hackers, on a laptop. System logs showed that hackers had attempted to use the Rbot backdoor to break into the football club's network.

Script kiddie phishing kit

A DIY phishing kit which could put formerly sophisticated fraud attacks into the hands of script kiddies is now available online.

"The Universal Man-in-the-Middle Phishing Kit enables fraudsters to sit between prospective marks and legitimate businesses," says The Register . "Rather just setting up a bogus website that's promoted through spam email, crooks set up a fraudulent website as a conduit through a legitimate website to communicate with their victims. The technology allows con men to automatically capture victims' personal information in real-time."

Said to have a user-friendly interface designed to help the nontechnical criminal, rhe kit, "automates the programming needed to pull off a normally tricky man-in the middle attack on websites such as banks or e-commerce sites," says PC World .

With the new year only in its second week, news outlets have already reported laptop computer thefts of possibly far-reaching implications. Robert Siciliano, a widely televised and quoted personal security and identity theft expert, repeated his mantra: Affordable, simple-to-obtain security solutions such as GPS tracking make laptop theft an easy situation to deal with.

Siciliano, president of IDTheftSecurity.com, leads Fortune 500 companies and their clients in workshops that explore consumer education solutions for data security issues. The Privacy Learning Institute has featured Siciliano, a longtime speaker on identity theft. Author of "The Safety Minute: 01," Siciliano has discussed identity theft and data security on CNBC, on NBC's "Today Show," FOX News, and elsewhere.

"Last year was one rich with data security breaches of all kinds," said Siciliano. "The last thing businesses want to hear is that the data breaches—especially those involving laptop thefts—that so defined 2006 are continuing unabated. And yet this is exactly what we're learning. Luckily, smart organizations will recognize that simple measures to equip their laptops with GPS tracking and other security tools will minimize the associated risks."

Last year saw laptop thefts of daunting proportions dominating much of the news on data security breaches. For a list of laptop thefts in 2006 stretching back to May, visit the following link at Siciliano's Web site: "Laptop Thefts in 2006." January, meanwhile, has been witness to breaches that suggest nothing has changed

Draft MiFID guidelines published

MiFID Connect, a joint project designed to simplify implementation of the Markets in Financial Instruments Directive, has published a set of draft MiFID guidelines for firms.

The guidelines, covering investment research, suitability and appropriateness, best execution and conflicts of interest, are based on draft Financial Services Authority text and relate to the FSA's expected rules on implementing MiFID.

They have been developed by trade associations such as the Association of British Insurers (ABI) and the British Bankers' Association (BBA).

PayPal users to get pass-code device

eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.

The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle against data-thieving phishing scams.

A PayPal spokeswoman said: "If a fraudulent party somehow got hold of a person's username and password, they still wouldn't be able to get into the account because they don't have the six-digit code. This by no means is a silver bullet that is going to stop fraud. This is just another layer of protection."

The "PayPal Security Key" will cost $5 for personal PayPal accounts but will be free for business accounts, the spokeswoman said. PayPal has been testing the device with employees for a couple of months and plans to start trials with customers in the next month or so, she added. As of 30 September, there were nearly 123 million PayPal accounts, according to eBay.

Email marketing abuse is rife among top UK companies

A study of the UK's biggest companies has found 31% of them breaking anti-spam laws by sending marketing emails without either prior consent or an existing customer relationship.

CDMS, a data and marketing firm, examined compliance with the EU Directive on Privacy and Electronic Communications by the top 200 companies across 13 sectors, including banking, general insurance, retail and mobile telecoms.

The companies were tested to see whether they consistently offered non-customers the opportunity to actively opt-in or otherwise consent to further marketing emails when their details were recorded as the result of a promotion or enquiry. These promotions appeared either on the company's own website, through a partner company's website, in a third party e-newsletter, or as part of an advertising or direct mail campaign.

RSA discovers sophisticated phishing kit being sold online

RSA, which is now the security division of EMC, has announced that its 24x7 Anti-Fraud Command Center (AFCC) has uncovered a new phishing kit being sold and used online by fraudsters.

This new kit, a Universal Man-in-the-Middle Phishing Kit, is designed to facilitate new and sophisticated attacks against global organizations in which the victims communicate with a legitimate web site via a fraudulent URL set by the fraudster. This allows the fraudster to capture victims' personal information in real-time.

RSA's analysts researched and analyzed a demo of the kit that was being offered as a free trial on one of the online fraudster forums that the AFCC monitors regularly.

HM Revenue phish surfaces

Phishing fraudsters are targeting UK taxpayers in the latest attempt to dupe the gullible into handing over sensitive financial details.

The bogus emails promised prospective marks a fictitious tax refund of £70. The attack represents part of the ongoing trend for fraudsters to extend to scope of targets for fraud beyond traditional targets such as eBay, PayPal and Bank of America.

Cryptomathic joins Oath initiative

Cryptomathic has joined the membership of the initiative for Open AuTHentication, Oath, in a move which demonstrates the company's commitment to helping customers reduce the cost and complexity of deploying robust authentication measures, which will increase the security of exchanging sensitive information across a network.

Cryptomathic, one of the world's leading providers of security solutions to businesses across a wide range of industry sectors, including finance, smart card, digital rights management and government, has become a Contributing Member of the industry collaboration and will be participating in both technical and marketing activity.

Through its Oath membership, Cryptomathic will provide the Oath community with the benefits of its experience in large-scale, high-security authentication solutions for the financial sector. By integrating Oath token support into its Authenticator server product, a two-factor authentication solution for combating online fraud, Cryptomathic looks forward to offering flexible and interoperable authentication tokens to all its customers.

Google blacklist sheds light on phishing tactics

An analysis of Google's blacklist of suspected phishing sites found that eBay, PayPal and Bank of America together account for almost two in three (63 per cent) of suspected scam sites.

Security researcher Michael Sutton also discovered that Yahoo! hosts a significant number of bogus websites - as identified by Google's blacklist) - that try to trick surfers into handing over Yahoo! login credentials. Information from the list is used by anti-phishing technology within the Firefox 2 browser and by the Google Toolbar for Firefox.

Sutton found that 83 per cent of sites detailed on the list are no longer available. By their nature, phishing websites have a rapid turnover but Google's blacklist, and other such initiatives, undoubtedly helpCERTs and other net defenders to identify and remove bogus websites more quickly.

Most of the websites contained in the list use social engineering techniques. Spam emails promoting these sites, often posing as security checks from recognised online firms, attempt to trick users into handing over login credentials. Sutton found little evidence of sites that attempt to use software vulnerabilities to swipe passwords from surfers.

Faster payments should not result in weaker authentication

The 11 faster payments member banks are progressing rapidly with their implementation projects ahead of the November 2007 deadline. However, as the systems being developed will enable a payment to be processed in less than 15 seconds, there is no time to stop a payment, and adequate authentication of the transactions becomes critical.

Paul Meadowcroft, head of transaction security at Thales e-Security, commented: "While the 11 member banks have accepted the rationale and, indeed, benefits faster payment services (FPS) will bring, especially from a customer satisfaction point of view, they are equally aware that FPS has a significant impact upon their fraud risk modelling. Put simply, current systems are not up to the challenge of receiving a payment instruction from a variety of different channels and strongly authenticating that person to prove they are who they say they are within the 15 second transaction processing time limit."

"The effect of this will be felt on many levels. From a basic cost point of view, it exposes the bank to higher risk from fraud and money laundering. However, potentially more damaging could be the effect upon customer satisfaction should the customer fall victim to fraud. Furthermore, it could have a negative impact upon the brand equity of the bank if such failings are perceived to exist."

Security threats on Web more serious this year

It was the year when cybercriminals targeted everything from MySpace to Wikipedia, and even a Web site maintained by a Kentucky Boy Scout troop wasn't safe for casual browsing.

Computer security experts said 2006 was also the year that hacking stopped being a hobby and became a lucrative profession practiced by an underground of computer developers and software sellers.

Like true business people, bad guys not only broadened their reach by attacking popular social networking sites, they also diversified their product line by launching attacks through popular software applications like PowerPoint and Adobe Reader and expanded their activities overseas.

Software makers who try to stop online crooks say they are bracing for a new level of nastiness in 2007, including malicious Web sites that are booby-trapped with software that automatically loads itself onto users' machines who just visit a site.

Kaspersky: Malware quality drops, quantity rises

Over the last six months, the technical creativity of malware has fallen, but the quantity has skyrocketed, according to Kaspersky Lab.

They just don't make malware like they used to. Or at least like they did earlier this year.

Even low-quality malware, however, is taxing the resources of security companies, since it is being detected in ever-higher numbers.

Over the last six months, the technical creativity of malware has fallen along with the ability to cause massive damage, such as that created by the MyDoom and Sasser worms of years past, wrote Alexander Gostev, senior virus analyst for Kaspersky Lab, in a recent report.

Gostev's lab intermittently sees highly technical malware, but most is "the same unending stream of Trojans, viruses and worms," he wrote. In many cases, hackers simply take existing malware and create variants, by tweaking the older code to evade antivirus software.

Mixed bag for users in 2007 security crystal ball

2007 will bring a mix of the good and the bad with respect to security. There'll be more phishing attacks, more zero-day exploits, and more agenda-driven malware attacks. A shake-up in the security channel is looming. But the launch of Vista promises more security for users, and there'll be opportunities for VARs to develop new strategies around delivering product to new markets.

Phishing attacks, already increasingly a common occurrence, will only increase in number and force, according to Zulfikar Ramzan, senior principal researcher, Advanced Threat Research Group, at Symantec .

"In 2007, we will see a continued increase in phishing attacks," he said. "We will also see an uptick in attacks on new on industry sectors, such as online retail, and on multi-player online games, as they become more popular. Symantec's always working hard to stay one step ahead of malware authors, so we will be bringing out a lot of heuristic-based new technologies in 2007."

Google plugs Gmail data leak flaw

Google has fixed a security hole in several of its services that exposed the address books of Gmail users, the company said Tuesday.

An attacker could create a malicious Web site that would copy all the entries in a Gmail user's address book, a potential treasure trove for spammers, according to a description of the problem on the "Googling Google" blog. The only condition is that the user would have to be logged in to Gmail or another Google service.

The issue came to light after Google watcher Haochi Chen probed a feature in Google Video over the weekend. The feature, called "Pick People to Email," lets users select contacts from their Gmail address book to send them a video. However, the feature also opened up the address book to others, Chen discovered.

Verisign issues VoIP security tips

A blog written by security staff at supplier VeriSign has outlined 25 ways to secure an enterprise network that runs voice over IP (VoIP).

VoIP security has been a key concern for IT professionals to date, along with VoIP quality.

The tips include restricting all VoIP data to one Virtual Local Area Network (VLAN); monitoring and tracking traffic patterns on your VoIP network; using multiple layers of encryption; and even avoiding remote management.

Other tips are: to lock down your VoIP servers; keep your network away from the internet ; update patches regularly; minimise the use of softphones; isolate voice traffic; and use vendors who provide digital security certificates.

Beware the 'Happy New Year' worm

An email worm disguised as a New Year's greeting is making the rounds on the internet.

Worm-laden messages are titled "Happy New Year" and contain an attachment called either postcard.exe or postcard.zip, according to experts at VeriSign's iDefense Labs, which provides information on security flaws and exploits. If the attachment is opened, malicious software is downloaded from the internet and can infect computers running Windows operating systems.

Once a computer is infected, it looks for open mail proxies and begins spamming mail to infect other computers. The worm is already moving quickly across the internet, at a rate of five emails per second on at least one large network, according to the iDefense Labs website.

Chinese 'hackers for hire' target users of Microsoft Power Point

A new attack is moving across the web in email form. A Power Point attachment that was popular last year, “Christmas+Blessing-4.ppt,” and made the rounds via office email and home email.

This time the attachment comes with a surprise, and its targeting businesses.

Chinese hackers, often low-income coders who work for organized criminals, have targeted Western users with a variant of the “Hupigon” Trojan horse. Once installed it will place “msupdate.dll” and “sdfsc.dll” on the user's computer , this is a backdoor, which can allow for remote access to an infected system. The Power Point file and the subsequent exploit are alive and well due to the flaw in Power Point disclosed in May and June of 2006.

Ken Dunham, director of VeriSign iDefense's rapid response team told InformationWeek “The reality is that this is a very popular file, [and the Trojan is] poorly detected by most antivirus scanners .” The attack targeted a company in the public utility sector. Researchers are saying this exploit started Sunday, and that it only affects computers who are missing the proper updates and patches.